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Abstract. We propose a method for compositional verification to address the state space 
explosion problem inherent to model-checking timed systems with a large number of 
components. The main challenge is to obtain pertinent global timing constraints from 
the timings in the components alone. To this end, we make use of auxiliary clocks 
to automatically generate new invariants which capture the constraints induced by the 
synchronisations between components. The method has been implemented in the RTD- 
Finder tool and successfully experimented on several benchmarks. 


1. Introduction 

Compositional methods in verification have been developed to cope with state space explosion. 
Generally based on divide et impera principles, these methods attempt to break monolithic 
verification problems into smaller sub-problems by exploiting either the structure of the 
system or the property or both. Compositional reasoning can be used in different manners 
e.g., for deductive verification, assume-guarantee, contract-based verification, compositional 
generation, etc. 

The development of compositional verification for timed systems remains however 
challenging. State-of-the-art tools [U [T6l [35l [25] for the verification of such systems are 
mostly based on symbolic state space exploration, using efficient data structures and 
particularly involved exploration techniques. In the timed context, the use of compositional 
reasoning is inherently difficult due to the synchronous model of time. Time progress is 
an action that synchronises continuously all the components of the system. Getting rid 
of the time synchronisation is necessary for analysing independently different parts of the 
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system (or of the property) but becomes problematic when attempting to re-compose the 
partial verification results. Nonetheless, compositional verification is actively investigated 
and several approaches have been recently developed and employed in timed interfaces [ 2 ] 
and contract-based assume-guarantee reasoning [181 ED] • 

In this paper, we propose a different approach for exploiting compositionality for analysis 
of timed systems. The driving principle is to use invariants as approximations to exact 
reachability analysis, the default technique in model-checking. We show that rather precise 
invariants can be computed compositionally, from the separate analysis of the components 
in the system and from their composition glue. This method is proved to be sound for the 
verification of safety state properties. However, it is not complete. 

The starting point is the verification method of [12], summarised in Figure]^ The method 
exploits compositionality as explained next. Consider a system consisting of components Bi 
interacting by means of a set 7 of multi-party interactions, and let ip he a. system property 
of interest. Assume that all Bi as well as the composition through 7 can be independently 
characterised by means of component invariants respectively interaction invariant 

7 /( 7 ). The connection between the invariants and the system property p can be intuitively 
understood as follows: if (p can be proved to be a logical consequence of the conjunction of 
components and interaction invariants, then p holds for the system. 


h {/\^CI{B,))AlIi^)^p 
[= EH 


(VR) 


Figure 1: Compositional verification 


In the rule (VR) the symbol “ h ” is used to underline that the logical implication can 
be effectively proved (for instance with an SMT solver) and the notation \= □ (/?” is to 

be read as “(/? holds in every reachable state of 

The verification rule (VR) in [12] has been developed for nntimed systems. Its direct 
application to timed systems may be weak as interaction invariants do not capture global 
timings of interactions between components. The key contribution of this paper is to improve 
the invariant generation method so to better track such global timings by means of auxiliary 
history clocks for actions and interactions. At component level, history clocks expose the 
local timing constraints relevant to the interactions of the participating components. At 
composition level, extra constraints on history clocks are enforced due to the simultaneity of 
interactions and to the synchrony of time progress. 

As an illustration, let us consider as running example the timed system in Figure 
which depicts a “controller” component serving n “worker” components, one at a time. The 
interactions between the controller and the workers are defined by the set of synchronisations 
{(o I bi), {c\ di) \ i < n}. Periodically, after every 4 units of time, the controller synchronises 
its action a with the action bi of any worker i whose clock shows at least 4n units of 
time. Initially, such a worker exists because the controller waits for 4n units of time before 
interacting with workers. The cycle repeats forever because there is always a worker “willing” 
to do b, that is, the system is deadlock-free. Proving deadlock-freedom of the system requires 
to establish that when the controller is at location Ici there is at least one worker such that 
Vi — X > 4n — 4. Unfortunately, this property cannot be shown if we use (VR) as it is in |I2j . 
Intuitively, this is because the proposed invariants are too weak to infer cross constraints 
relating the clocks of the controller and those of the workers: interaction invariants //(q) 
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relates only locations of components and thus at most eliminates unreachable configurations 
like (/ci,..., l 2 i, ■ ■ ■), while the component invariants can only state local conditions on 
clocks such as X < 4 at Ici. Using history clocks allows to recover additional constraints. For 
example, after the controller returns from lc 2 to Ici for the first time, whenever it reaches 
Ici again, there exists a worker i whose clock has an equal value as that of the controller. 
Similarly, history clocks allow to infer that different (a | 6j) interactions are separated by at 
least 4 time units. These constraints altogether are sufficient to prove the deadlock freedom 
property. 


Controller 



Figure 2: A timed system 


Organisation of the paper. This paper is essentially an extended version of the conference 
paper [5]. The extension is threefold with respect to (1) incorporating proofs, (2) detailing 
technicalities about handling initial states, and (3) formalising three heuristics to speed up 
and simplify invariant generation. Section [^recalls the needed definitions for modelling timed 
systems and their properties. Section presents our method for compositional generation 
of invariants. Section [4] describes the heuristics while Section [5] shows their use in the case 
studies we experimented with in our implementation. Section [^concludes. 

2. Timed Systems and Properties 

In the framework of the present paper, components are timed automata and systems 
are compositions of timed automata with respect to multi-party interactions. The timed 
automata we use are essentially the ones from [2, however, slightly adapted to embrace a 
uniform notation throughout the paper. 

Definition 2.1 (Syntax). A component is a timed automaton (L, A, A, T, tpc, sg) where 
L is a finite set of locations, A a finite set of actions, A is a finite set of locajj clocks, 
TCLx {A xCx 2'^) X L is a set of edges labelled with an action, a guard, and a set of 
clocks to be reset, tpc : L ^ C assigns a time progress conditiorj^to each location. C is the 

^Locality is essential for avoiding side effects which would break compositionality and local analysis. 

O 

To avoid confusion with invariant properties, we prefer to adopt the terminology of “time progress 
condition” from m instead of “location invariants”. 
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set of clock constraints and sq € L x C provides the initial configuration. A clock constraint 
is defined by the grammar: 

C ::= true \ \ x — \ C f\C 

with x,y G X, ^ G {<,<,=,>,>} and ct £ X. Time progress conditions are restricted to 
conjunctions of constraints as x < ct. 

Before recalling the semantics of a component, we first fix some notation. Let V be the 
set of all clock valuation functions v : A —)• M>o. For a clock constraint C, v ^ C denotes 
the evaluation of C in v. The notation v + h represents a new v' dehned as v'{x) = v(x) + 6 
while v[r] represents a new v' which assigns any x in r to 0 and otherwise preserves the 
values from v. 

Definition 2.2 (Semantics). The semantics of a component B = {L, A, X,T,tpc, sq) is 
given by the labelled transition system {Q, A, — Qo) where Q C L x V denotes the states 
of B, —)■ C Q X (A U M>o) X Q denotes the transitions according to the rules: 

• (/,v) -A (l,v + S) if (vs' G [0, (5]).(tpc(/)(v + h')) (time progress); 

• (^, v) A (r,v[r]) if {l,{a,g,r),l') G T, c/(v) A tpc(Z')(v[r]) (action step), 
and Qo = {(^ 0 )Vo)|so = (^oTo) Aco(vo)} denotes the initial states. 

Because the semantics defined above is in general infinite, we work with the so called 
zone graph m as a finite symbolic representation. The symbolic states in a zone graph are 
pairs (/,C) where I is a location of B and C is a zone, a set of clock valuations defined by 
clock constraints. The initial configuration sq = (/qTo) corresponds trivially to a symbolic 
state (^O)Co)- Given a symbolic state {l,C), its successor with respect to a transition t of B 
is denoted as succ(t, {I, ()) and defined by means of its timed and its discrete successor: 

• time_succ((/, ()) = (Z, A C G tpc(/)) 

• disc_succ(t, (/,C)) = (Z', (CnAH ntpc(/')) ift = {l,i-,9,r),r) 

• succ(t, (Z, C)) = norm(time_succ(disc_succ(t, (Z, C)))) 

where /^, [r], norm are usual operations on zones: A C is the forward diagonal projection of 
C, i.e., it contains any valuation v' for which there exists a real 6 such that v' — (5 is in Q, 
(^[r] is the set of all valuations in (( after applying the resets in r; norm (A corresponds to 
normalising such that all bounds on clocks and clock differences are either bounded by 
some finite value or infinite. Since our use of invariants is only as over-approximations of 
the reachable states, a more thorough discussion on normalisation is not relevant for the 
present paper. The interested reader may refer to mm for more precise definitions. 

A symbolic execution of B is a sequence of symbolic states sq, • • •, Sj,.. .[^ such that 
for any z > 0, there exists a transition t for which s* is succ(Z, Sj-i). The set of reachable 
symbolic states of B is Reachsiso) where Reaehs is defined recursively as: 

Reachsis) = {s} U ReachB{succ{t, s)) 

t£T 

for an arbitrary s and T the set of transitions in B. We remind that the set Reach b{so) 
can be shown finite knowing that the number of normalised zones is finite. In general, the 
symbolic zone graph provides an over-approximation of the set of reachable states. This 
over-approximation is exact only for timed automata without diagonal constraints jiniiis]. 

^We tacitly assume that so is such that so = time_succ(so). If this is not the case, one can always consider 
time_succ(so) instead of So for the definition of symbolic executions and reachable states. 
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In our framework, components communicate by means of interactions, which are syn¬ 
chronisations between actions. Given n components with disjoint sets of actions 

Ai, an interaction is a subset a C containing at most one action per component. We 
denote interactions a as sets {ajjjg/, with a* G for alH G / C {1,..., n}. For readability, 
in examples, we use the alternative notation (oi | 02 | • • • | Oi) instead. Given a set of 
interactions 7 , we denote by Act{'^) the set of actions involved in 7 , that is, Act{'y) = Aa^^a. 

Definition 2.3 (Timed System). For a given n and i G {1, ... ,n} let Bi = (Lj, Ai, ft), 
Tj, tpCj, soi) be n components with disjoint sets of actions and initial states soi = 

Let 7 be a set of interactions constructed from AiAi. The timed system W^yBi is dehned 
as the component (L, 7 , ff, Ty, tpc, sq) where L = XiLi, X = Ujft), tpc(/) = /\.tpc(Zi), 
■So — ((^01) ^0n)i f\i COi) Rlld 



r _ 

1 — (h, In) £ T, 1' — (I'l, ■■■, I'n) C L '1 

T,= < 

(l, (a,g,r),l ) 

ct — {flj} jg/ G7) yi C I .(li, (ai, gi, ri), ly) C Ti, \/i ^ I .li — ly . 

g = f\iei9i, r = \Ji^jri j 


In the timed system W'yBi, a component Bi can execute an action ai only as part of an 
interaction a, Oj G a, that is, along with the execution of all other actions aj G q|^ This 
corresponds to the usual notion of multi-party interaction. We note that interactions can 
only restrict the behaviour of components, i.e., the states reached by Bi in \\^Bi belong to 
ReachBi{soi). This is a property which is exploited in the verihcation rule (VR) in Figure 
To give a logical characterisation of components and their properties, we use invariants. 
An invariant is a state predicate which holds in every reachable state of R, in symbols, 
B 1= □$. We use CI{B) and //( 7 ), to denote component, respectively interaction 
invariants. For component invariants, our choice is to work with their reachable symbolic 
set. More precisely, for component B, its associated component invariant CI{B) is the 
disjunction of {I A C) for all symbolic states (/,C) in ReachB{so). To ease the reading, we 
abuse of notation and use I as a place holder for a state predicate ^^at{iy’ which holds in any 
symbolic state with location I, that is, the semantics of at{l) is given by {l,C) |= at{l). As 
an example, the component invariants for the example in Figure with one worker are: 

Cl (Controller) = (Icq A x > 0) V (Ici A 4 > x > 0) V {lc2 A x > 0) 

Cl (Worker i) = (/n A yi > 0) V (I21 A yi >4). 

The interaction invariants are computed by the method explained in [12]. Interaction 
invariants are over-approximations of the global state space allowing us to disregard certain 
tuples of local states as unreachable. As an illustration, consider the interactions invariant 
for the running example when the controller is interacting with one worker: 

Il({(a I 61 ), (c I di)}) = (hi V IC2) A (hi V Ico V Ici). 

The invariant is given in conjunctive normal form to stick to the formalism in mm- Every 
disjunction corresponds to the so called notion of “initially marked traps” in an underlying 
Petri net associated to our model. Intuitively, a trap in Petri nets is a set of places which 
always contains tokens if they have tokens initially. 

'^To simplify the notation, we omit unary interactions and the actions for transitions involved in them. 
For example, in Figure 2 1 the initial transition in Controller does not have an explicit action associated. 
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We note that the proposec0 component and interaction invariants are inductive invariants. 
A state predicate is called inductive for a component or system B if, whenever it holds for a 
state s of i? it equally holds for any of its successors s'. That is, the validity of an inductive 
predicate is preserved by executing any transition, timed or discrete. An inductive predicate 
which moreover holds at initial states is an (inductive) invariant. Trivially, such a predicate 
holds in all reachable states. 

As for component properties, we are interested in arbitrary invariant state properties 
that can be expressed as boolean combinations of “at(/)” predicates and clock constraints. 
Invariant properties include generic properties such as mutual exclusion, absence of deadlock, 
unreachability of “bad” states, etc. As a simple illustration consider the property Ici —>■ 
\li{yi — X > 4n — 4), discussed for our running example introduced in SectionAs a more 
sophisticated example, consider absence of deadlock. Intuitively, a timed system with a set 
of interactions 7 is deadlocked when no interaction in 7 is enabled. Absence of deadlock is 
therefore expressed as the disjunction Vae'yenabled{a). As for the enabledness predicate, 
we borrow it from [3l| where it is essentially constructed from the syntactic definition of 
the timed system. More precisely, for an interaction a, enabled{a) is yt enabled{t), with t 
being a transition triggered by a. In turn, for t = (f, {a,g, r), T), enabled{t) is defined using 
elementary operations on zones as l/\)/' {g r\ [r]tpc(Z') n tpc(/)), where v/ C is the backward 
diagonal projection of C, [x]C is the set of valuations v such that v[r] is in 

3. Timed Invariant Generation 

As explained in the introduction, a direct application of the compositional verification 
rule (VR) may not be useful in itself in the sense that the component and the interaction 
invariants alone are usually not enough to prove global properties, especially when such 
properties involve relations between clocks in different components. More precisely, though 
component invariants encode timings of local clocks, there is no direct way - the interaction 
invariant is orthogonal to timing aspects - to constrain the bounds on the differences 
between clocks in different components. To give a concrete illustration, consider the property 
^Safe = {Ici A ^11 —>■ X < yi) that holds in the running example with one worker. We note 
that if this property is satisfied, it is guaranteed that the global system is not deadlocked 
when the controller is at location Ici and the worker is at location In. It is not difficult to see 
that y>safe cannot be deduced from Cl {Controller) A CI{Workeri) A //({(a | 61 ), (c | di)}) 
as no relation can be established between x and yi. 

3 . 1 . History Clocks for Actions. In this section, we show how we can, by means of some 
auxiliary constructions, apply (VR) more successfully. To this end, we “equip” components 
(and later, interactions) with history clocks, a clock per action; then, at interaction time, 
the clocks corresponding to the actions participating in the interaction are reset. This basic 
transformation allows us to automatically compute a new invariant of the system with 
history clocks. This new invariant, together with the component and interaction invariants, 
is shown to be, after projection of history clocks, an invariant of the initial system. 

®The rule (VR) is generic enough to work with other types of invariants. For example, one could use any 
over-approximation of the reachable set in the case of component invariants, however, this comes at the price 
of losing precision. 
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Definition 3.1 (Components with History Clocks). Given component B = {L,A,X, T, 
tpc, So), its extension with history clocks is the component = (L, Ba, T^, tpc, Sq) 

where 

• Ba = {ho} U {ha I a G A} is the set of history clocks, 

. T'^ = {{l,ia,g,rU{ha}),h) \ (/, (a, 5 ,r),/') G T}, 

• = (lo, c[(), where c[( = (cq A /iq = 0 A ha > 0), given sq = (^ 0 , cq). 

The clock ho measures the time from the initialisation. This clock equals 0 in Sq and is 
never tested or reset. Due to this very restricted use, the same clock ho can be consistently 
used (shared) by all components B^ and consequently, allows to capture clock constraints 
derived from the common system initialisation time. 

Every history clock ha measures the time passed from the last occurrence of action a. 
These history clocks are initially strictly greater than 0 and are reset when the corresponding 
action is executed. As a side effect, whenever ha is strictly bigger than ho, we can infer that 
the action a has not been (yet) executed. This initialisation scheme allows a more refined 
analysis precisely because we can distinguish between actions which were executed and those 
which were not. 

Since there is no timing constraint involving history clocks, these have no influence on 
the behaviour. The extended model is, in fact, bisimilar to the original model. Moreover, 
any invariant of the extended model of B^ corresponds to an invariant of original compo¬ 
nent. By abuse of notation, given set of actions A = {ai,...,am} use XBa to stand for 
dhaidhaa • • • 3ha,„3ho. 

Proposition 3.2. 

(1) is an invariant of B^ then = ABa-^^ is an invariant of B. 

(2) If is an invariant of B^ and an inductive assertion of B^ expressed on history 
clocks Ba \ {ho} then = 3Ba-{^^ A T^) is an invariant of B. 

Proof. (1) It suffices to notice that any symbolic state {I, C^) in the reachable set Reach^hfsQ) 
corresponds to a symbolic state (/,C) iu the reachable set Reachsiso) such that Q is the 
projection of to clocks in X, that is C = 3Ba-C^- Henceforth, 3BA-R^(ichQh{sQ) = 
Reachsiso). Moreover, for any invariant of B^ it holds 3BA-Reach^h{sQ) C 3Ba-^^- 
By combining the two facts, we obtain that is an invariant of B. 

(2) Consider the modified component with history clocks B^ defined as B^ but 
with initial configuration {loXo ^ This initial configuration is valid, as constrain 
exclusively clocks in Ba whereas Cq leaves all of them unconstrained. Now, it can be easily 
shown that A is an invariant of B^. Then, following the same reasoning as for point 
(1) we obtain that 3Ba-{^^ A T^) is an invariant of B. □ 

The only operation acting on history clocks is reset. Its effect is that immediately after 
an interaction takes place, all history clocks involved in the interaction are equal to zero. 
All the remaining ones preserve their previous values, thus they are greater than or equal 
to those being reset. This basic observation is exploited in the following definition, which 
builds, recursively, all the inequalities that could hold given an interaction set 7 . 
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Definition 3.3 (Interaction Inequalities for History Clocks). Given an interaction set 7 , we 
define the following interaction inequalities <?( 7 ): 

^(7)=V(( A K = haj <ha^:) A£{'yea)y 

aG'y ai,ajGa 

akGAct{'yQa) 

where 'yQa = {/3\a\(3£'yAf3<^a} and £ 1 ( 0 ) = true. 


The mechanism of history clocks is as follows. When an interaction a takes place, the 
history clocks ha associated to any action a € a are reset. Thus they are all equal and 
smaller than any other clocks and measure the time passed from the last occurrence of a. 

The operation 7 ©a eliminates in any interaction /3 the actions from a. As an illustration, 
for /3 = (a I ai I 02 ), a = (oi I 02 ), 7 = {a, /?}, 7 © a = {a}. 

We can use the interpreted function “min” as syntactic sugar to have a slightly more 
compact expression for <^( 7 ) as follows: 


-^^( 7 ) = V ( A - 


ai^aj^OL 


mm 

afcEAct(7©Q;) 


hafc A£l(7©a)y 


As an example, for 7 = {(a | 61 ), (c | di)} corresponding to the interactions between the 
controller and one worker in Figure the compact form is: 

{ha = hb^ < mm{hc, A he = hd^) V {he = hd^ < mm{ha, Aha = h^). 

£ 1 ( 7 ) characterises the relations between history clocks during any possible execution. It can 
be shown that this characterisation is, in fact, an inductive predicate of the extended system 
with history clocks. 


Proposition 3.4. <^( 7 ) is an inductive predicate of\\.yBj^. 

Proof. Assume £{'y) holds in some arbitrary state s of We have two categories of 

successor states for s, namely time successors and discrete successors. Obviously £ 1 ( 7 ) 
holds for all time successors s', as all clocks progress uniformly and henceforth all the 
relations between them are preserved. Let now s' be a discrete successor of s by an arbitrary 
interaction a. As all the history clocks for actions in a have just been reset, s' satishes 

/\ 0 = ha, = haj < ha^ (3.1) 

Osi ^Q,j ^CX. 

ak£Act('yQa) 

To conclude the proof, we need to show that moreover, for the remaining clocks of actions 
in Act (7 © a), they satisfy £{'y Q a) in s'. Actually, we can show the additional fact that for 
any set of interactions 7 and for any interaction a. the implication £ ( 7 ) £{'y Q a) is valid 

in any reachable state. This fact can be simply proven by induction on the size of the set 
interactions 7 following the definition of £. Consequently, assuming that £ 1 ( 7 ) holds at s, it 
follows that £ 1(7 © a) holds at s. Then £ 1(7 © a) also holds at s' because a does not modify 
any clock involved in 7 © a and this concludes the proof. D 
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By using Proposition 3.4 and Proposition |3.2[ we can safely combine the component 
and interaction invariants of the system with history clocks with the interaction inequalities. 
We can eliminate the history clocks from /\ - CI{B^) A //(y) A <?( 7 ) and obtain an invariant 
of the original system. This invariant is usually stronger than /\. CI{Bi) A //(y) and yields 
more successful applications of the rule (VR). 


Corollary 3.5. CI{BI^) A //(y) A T( 7 )) is an invariant of W^Bi. 

Example 3.6. We reconsider the model of a controller and a worker from FigureWe show 
how the generated invariants are enough to prove the safety property (fsafe = (Ici A In —>■ 
X <yi) from Section]^ The invariants for the components with history clocks are computed 
precisely as illustrated in Section that is, they represent zone graphs: 

Cl {Controller^) ={Icq f\ x = ho < ha f\ ho < he) y 

{Ici Ax</io — 4Ax<4A/io</iaA/io< he) V 
{Ici Ax<AAx = he < ha < ho — 8) y 
{lc2 Ax<ho — 8 a ha = xA ho < he) V 
{lC2 A X = ha A he = ha + 4: < ho — 8 ) 


CI{Worker\) =(/ii A yi = ho < hd^ Aho<hb^)y 
(^11 Ayi = hd^ < hftj < ho — 4 ) V 
(/21 A hfe^ + 4 < = ho < h^J) V 

(/21 A yi = hdj < ho — 4 A h^j < hd^ — 4 ) 

By using the interaction invariant described in Section and the inequality constraints 
£{{a I 61), (c I di)), after the elimination of the existential quantifiers in 

{3ha3hb-^3hc3hd^-^ho) Cl {Controller^) A Cl {Worker^) A //(q) A £1(7)) 
we obtain the following invariant <1>: 

=(hi A Ico A X = yi)y 
{hi AlciA{yi = X y a; + 4 < yi)) V 
(^21 A k2 A (yi = ® + 4 V £c + 8 < yi)). 

We used bold fonts in 4 > to highlight relations between x and yi which are not in 
Cl {Controller) A Cl {Worker i) A //(a). It can be easily checked now that <I> —)> (fsafe holds 
and consequently, this proves that ifsafe holds for the system. 

To sum up, the basic steps of our invariant generation method described so far are: 

(1) compute the interaction invariant //(y); 

(2) extend the components R* to components with history clocks R/*; 

( 3 ) compute component invariants CI{B^)] 

( 4 ) compute inequality constraints £{'y) for interactions 7; 

( 5 ) finally, eliminate the history clocks in f\ - CI{Blf) A //(y) A £1(7). 

We note that, due to the combination of recursion and disjunction, £1(7) can be large. Much 
more compact formulae can be obtained by exploiting non-conflicting interactions, i.e., 
interactions that do not share actions. 

Proposition 3 . 7 . //y = 71 U72 such that Act{ji) n Tcf (72) = 0 then £{a) = £1(71) A £1(72). 
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Proof. By induction on the number of interactions in 7. In the base case, 7 has a sin¬ 
gle interaction and the property trivially holds. For the induction step, for the ease of 
reading, we introduce eq{a) and leq{a,'y) to denote respectively /\ai ajea^<^i ~ 

A “iSa ha, < ha^. £{7) can be rewritten as follows: 

a Act (-^Qa) 

£{i)= V eQ'(a) A Zeg(a,7) A <S((7i U 72) © a) V \l eg(a) A Zeg(Q;, 7) A <S((7i U 72) 0 a) 

aS7i aS 72 

(using 72 0 a = 72 for a G 71 and by ind. for 7' = (71 © a) U 72) 

= eQ'(a) A Ze(?(a,7) A <5(71 0 a) A <5(72) V \J eq{a) A leq{a,'y) A £{'yi) A £{'y2 Q a) 

aS7i aS 72 

(using \J eq{a) A leq{a,-fi) A SijiQ a) = £{-fi) ior i £ { 1 , 2 }) 

Ol&li 


= f (71) A £1(72) A ( y leq{a,j2) V \/ leq{a,-ii)) 

aS 7 l 0:672 

(using totality of ”<” and disjointness of 7*) 

= .5(71) A £1(72) 

The following corollary is an immediate consequence of Proposition 3.7 


□ 


Corollary 3.8. If the interaction model 7 has only disjoint interactions, i.e., for any 
01,02 G 7. «i n 02 = 0, ihen T(7) = /\ hai = ha^ . 

Q:E7 ai,ajGO( 


The two interactions in 7 = {(o | 61), (c | di)} are disjoint. Thus, we can simplify the 
expression of £{a) fo (h-a = hbf) t\ {he = hd^). 


3.2. History Clocks for Interactions. The equality constraints on history clocks allow 
to relate the local constraints obtained individually on components. In the case of non¬ 
conflicting interactions, the relation is rather “tight”, that is, expressed as conjunction of 
equalities on history clocks. In contrast, the presence of conflicts lead to a significantly weaker 
form. Intuitively, every action in conflict can be potentially used in different interactions. 
The uncertainty on its exact use leads to a disjunctive expression as well as to more restricted 
equalities and inequalities amongst history clocks. 

Nonetheless, the presence of conflicts themselves can be additionally exploited for 
the generation of new invariants. That is, in contrast to equality constraints obtained 
from interactions, the presence of conflicting actions enforce disequalities (or separation) 
constraints between all interactions using them. In what follows, we show a generic way of 
automatically computing such invariants enforcing differences between the timings of the 
interactions themselves. To effectively implement this, we proceed in a similar manner as in 
the previous section: we again make use of history clocks and corresponding resets but this 
time we associate them to interactions, at the system level. 

Definition 3.9 (System with Interaction History Clocks). Given a timed system its 

extension with history clocks for interactions is the timed system B*\\^hBh where: 

• B* is an auxiliary component {{l*},A^,'}i^,T, {I* 1 —)■ true), {I*, true)) where: 

— the set of actions = {oo | a G 7} 
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— the set of interaction history clocks = {/iq, | a G 7} 

— the set of transitions T = {(P, (oq, true, {/iq}), /*) | a G 7} 

• 7^ = {{ua I a) I a G 7} with (oq, | a) denoting {oq} U {a | a G a}. 

As before, it can be shown that any invariant of corresponds to an invariant 

of Il'y-Bi- The history clocks for interactions do not impact the behaviour and henceforth the 
two systems are bisimilar. 


Proposition 3.10. 

(1) If is an invariant of B*\\^hB^, then d> = is an invariant of ||-y5j. 

(2) If^^ is an invariant of B*\\^hB^ and an inductive predicate of B*\\^hB^ expressed on 

history cloeks for aetions and interactions Bj U Ha \ {ho} then $ = A 

is an invariant of \\^Bi. 


Proof. Similar to Proposition 3.2 


□ 


We use history clocks for interactions to express additional constraints on their timing. 
The starting point is the observation that when two conflicting interactions compete for 
the same action a, no matter which one is first, the latter must wait until the component 
which owns a is again able to execute a. This is referred to as a “separation constraint” for 
conflicting interactions. 


Definition 3.11 (Separation Constraints for Interaction Clocks). Given an interaction set 
7, the induced separation constraints, 5 ( 7 ), are defined as follows: 

‘ 5 ( 7 )= /\ /\ \ha-hi3\>ka 

a^Act{'y) 

aGctfl^ 

where | x \ denotes the absolute value of x and ka is a constant computed locally on the 
component executing a, and representing the minimum elapsed time between two consecutive 
executions of a. 


In our running example the only conflicting actions are a and c within the controller, 
and both ka and kc are equal to 4. The expression of the separation constraints reduces to: 

S{{a I bi)i, (c I di)i) = /\\hc\di - K\dj \ > 4 A /\\ha\bi - > 4. 


Proposition 3.12. Let 

•S*{'y)= /\ /\ {ha < ha < h/3 - ka^ ha < h/S < ha- ka) 

a^Act{'y) 

aGan/3 

We have that: 

(1) S*{'y) is an inductive predicate of B*\\^hB})'. 

(2) The equivalence S(j) = 3 'Ha->S*(j) is a valid formula. 


Proof. (1) Let us fix an arbitrary term S{a,a,j3) defined as 

S{a, O, / 3 ) — {ha if ha ^ hjd ka V ha ^ ^ ha ka] 

Assume S{a,a,fl) holds in an arbitrary state s of B*\\.yhB}}. Then, it obviously holds for 
any time successors as well as for any discrete successors by interactions not containing 
the action a. For an interaction involving a, but different than a and /3, ha is reset to zero 
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whereas and are unchanged. Henceforth, S{a,a,(5) remains valid as only ha changes 
to 0. Let consider the situation a is executed (the case of (3 is perfectly dual). In this case, 
both ha and h^ are reset to 0, whereas is unchanged. Two situations can happen; 

(a) ha < ha < hp — ka holds in s. Then, obviously, the same holds in s' where ha and ha 
are reset. 

(b) ha < hp < ha — ka holds in s. This is the interesting case where we need the assumption 

about the separation time ka- As consecutive executions of a are separated by ka, to 
execute a it must actually hold that /iq > /cq in s. Consequently, /i^ > /cq in s, as well 
as in s' (because hp does not change from s to s'). Then, knowing that /iq = = 0 in 

s' we have that ha < ha < hp — ka in s'. 

(2) We can equivalently write 

‘^*( 7 )= /\ /\ {ha<ha/\ha<hpA\ha-hp\<ka) 

a^Act{'y) a/:/3G7 
aGanP 


= 5(7) A /\ /\ {ha < ha A ha < hp) 

a£Act('y) 

aGafl/S 

and this concludes our proof. □ 

The predicate 5 ( 7 ) is expressed over history clocks for interactions. Component in¬ 
variants CI{BA are however expressed using history clocks for actions. In order to “glue” 
them together in a meaningful way, we need some tighter connection between action and 
interaction history clocks. This aspect is addressed by the constraints £* defined below. 


Definition 3.13 {£*). Given an interaction set 7 , we define £*{'y) as follows: 

<^*( 7 ) = /\ ^ 0 .= min ha- 

• ' aG7,ciGQ: 

a^Actiyy) 


By a similar argument as the one in Proposition 3.4 
an inductive predicate of the extended system B*\yh^ 
connection between £ and £* as given in Proposition 3.14 


it can be shown that £*{'^) is 
Moreover, there exists a tight 


Proposition 3.14. 

( 1 ) T*( 7 ) is an inductive predicate of B*\\^hB^. 

(2) The equivalence .£* {'^) = £{'^) is a valid formula. 

Proof. (1) To see that ^*( 7 ) is an inductive predicate it suffices to note that the predicate 
is preserved by time progress transitions and for any discrete action a, there is always an 
interaction a containing a such that ha and ha are both reset in the same time. 

(2) The proof follows directly from the definitions of £{j) and £*{'y)- Consider that 
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7 = { 0 : 1 , 02 , ...,Om}- We have the following equivalences: 

y < ... < A ^*(7)) 

(by choosing an arbitrary ordering A on interactions) 

= 3^7' V 

^Ofe2 

/\ {ha = ha^ /\ /y {ha = ha^ /\ ... {ha = ha^^)) 

“Safel aeafejXa*,^ aSa*^ \Qfc^ 

(by expanding the definition of 8* ( 7 ) along the chosen order) 

m 

— B'H.y. \J {hak^ < A A 

(by rewriting to a more compact form) 

m 

= \J 3'H^.{ha^._^ < < ... < A A 

(by distributing the existential quantifiers over the disjunction) 


m 

\l l\ l\ = <^( 7 ) 

(by eliminating the existential quantihers) D 


From Propositions 


3.14 


3.10 


and 


3.12 


8*{'^) A 5 ( 7 )) is an invariant of ||.yili. 


it follows that 3'Ha3'H.-^.{/\^ CI{B^) A //(a) A 
This new invariant is in general stronger than 


3'HA-{l\i A 4 /( 7 ) A£1(7)) and it provides better state space approximations for timed 

systems with conflicting interactions. 

Corollary 3.15. <1> = 3'HA37iy.{/\^ CI{Bh) A //(y) A<f*( 7 ) A 5 ( 7 )) is an invariant of \\.yBi. 


Example 3.16. To get some intuition about the invariant generated using separation 
constraints, let us reconsider the running example with two workers. The subformula which 
we emphasise here is the conjunction of 8* and S. The interaction invariant is: 

7/(7) =(Zii V Ici V IC2) A (^12 V Ici V IC2) A {lc2 V Zii V /12) A {Icq V Ici V Z21 V I22) 

The components invariants are: 

Cl {Controller^) ={Icq A x = ho A ho < ha A ho < he) V 

{Ici Ax<ho — 8 Ax< 4 A ho < ha A ho < he) V 
{Ici Ax<AAx = he<ha<ho — 12) V 
{lc 2 A X < ho — 12 A ha = X A ho < he)) V 
{lC 2 A X = ha A he = ha 3- 4: < ho — 12) 
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CI{ Worker^) ={lii A y* = /iq A /iq < hdi A /iq < V 
{hi /\yi = hd^ < hi,. < /lo - 8) V 
{hi /\yi> hb,+ 8 < ho < hdj) V 
{hi yi = hd- < ho — 8 A hb, < hd- — 8) 

The inequalities for action and interaction history clocks are: 

^*(7) ={hbi = ha\b,) A {hb2 = /lalfta) {^a = minA 

{hd, = /ic|di) A {hd2 = hc\d2) A {he = mm{he\di)) 

By recalling the expression of 5 ( 7 ) we obtain that: 

3 n^.S* (7) A 5(7) = {\hb2 - hbh > 4 A \hd2 - hd,\ > 4 ) 
and thus, after quantifier elimination in 

3% {Cl {Controller^) A Cl {Worker i) A II (7) A £*{'~f) A 5(7)) 

i 

after simpliheation, we obtain the following invariant <h: 

4 * =(/ii A h2 AlcoA X = yi= ^2) V 

(^11 A Z12 A /ci A X < 4 A (yi = 1/2 > + 8V 

(yi = X A 1/2 - yi > 4 )V 
(yi > X + 8 A yi - y2 > 8)V 
(y2 = X A - ^2 > 4 )V 
(2/2 > + 8 A y2 - yi > 8))) V 

(^21 A /12 A k2 A yi > X + 8 A {{y2 > x + 4 A |i/i — 1/2! > 4 )V 

2/2 > a + 12 )) V 

(^11 A ^22 A /C2 A 1/2 > X + 8 A {{yi > x + 4 A |r/i — 2/2I > 4 )V 

yi > X + 12 )) 

We emphasised in the expression of the newly discovered constraints. All in all, $ is 
strong enough to prove that the system is deadlock free. 

We conclude the section with a discussion about the computation of the separation 
constants ka- A simple but incomplete heuristics to test that a given value ka is a correct 
separation constraint for an action a is as follows. Consider all paths connecting two 
transitions (not necessarily distinct) labelled by a. If on every such path, there exists a clock 
X which is reset and then tested in a guard x > ct, with ct > ka then, it is safe to conclude 
that actually ka is a correct separation value. Nonetheless, alternative methods to exactly 
compute ka have been already proposed in the literature. For details, the interested reader 
can refer, for instance, to m which reduces this computation to finding a shortest path in 
a weighted graph built from the zone graph associated to the component. 
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4. Improving (VR) - Three Heuristics 

We describe and elaborate on heuristics allowing to strengthen the generated invariants and 
to reduce the generation time. These heuristics have been successfully applied on our case 
studies considered later in Section [H 

4.1. Refining conflicting interactions. The initialisation of the history clock /iq provides 
a convenient way to express and reason about invariants relating occurences of various 
actions and interactions at execution. The assertion < ho has the intuitive meaning 
that “a has been executed”. We describe below a new family of invariants providing a finer 
characherisation for the execution of conflicting interactions and related actions. 

We fix a as a potential conflicting action within some component B = [L, A,T, X,tpc). 
We define the set of preceding actions Prec{a) as all actions of B that can immediately 

precede a in an execution, formally Prec{a) = {a' G H | 31,1',I" € L.l ^ I',I' A /"}. For 
any two conflicting interactions ai,a 2 involving a, the following assertion: 

hoLi ^ ho A ha2 — ho —^ ^ ho 

a' £Prec{a) 

is an invariant. Intuitively, the assertion states that whenever ai and a 2 have both been 
executed (implying that a has also been executed two or more times), at least one of the 
preceding actions of a must also has been executed. We remark that the invariant above is 
rather weak and can be implied by the component invariant CI{B) and the glue invariant 
£* in many situations. In fact, whenever a is an action which is not enabled at the initial 
location of B, the component invariant CI{B) implies that 

ha ^ ho ha' ho. 

a'£Prec(a) 

This states that whenever a has been executed, at least one of its preceding actions has been 
executed as well. Knowing moreover that ha = minagQ, ha, we can then infer the invariant 
above. 

Nonetheless, if a is an action that is enabled at the initial location, the newly proposed 
invariant is stronger and cannot be derived as shown before. In this case, a can be actually 
executed once while none of its predecessors has been executed yet. The component invariant 
alone does not relate anymore the execution of a to the execution of its preceding actions. 
Moreover, the component invariant considers always the last occurence of a and has no 
means of distinguishing cases where a has been executed only once or more often. This 
information can sometimes be re-discovered when interaction history clocks /iqj, ha 2 are 
taken into account, henceforth, leading to the proposed invariant. A concrete illustration is 
provided later in Section 

4.2. Invariant computation using regular expressions. There exist situations where 
the computation of component invariants can be extremely costly. In particular, for un¬ 
timed components extended with history clocks, their zone graphs will most likely have 
an exponential size. In fact, due to history clocks, the zones will record the order of (the 
last) occurences of actions, and there could be exponentially many of them, reachable at 
different locations. We note that, in timed components, clocks restrict the dynamics of the 
components, consequently, it cannot be the case that all the orders are possible. 
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The above observation suggests (and was confirmed by our experiments) that applying 
the same methodology for computing component invariants (based on the reachability graph 
of the corresponding components with history clocks) regardless of the components being 
timed or not leads to large formulae when possibly shorter ones exist. 

Example 4.1. Consider the untimed component presented in Figure]^ (left) and its extension 
with history clocks (right). The entire zone graph reachable from {IqXo), with (q = (/iq = 
0, ha^b,c > 0) has 6 symbolic states. Therefore, the component invariant is expressed as a 
disjunction of 16 terms, 9 of them are related to location Iq and 7 are related to location li. 


a c 


a, ha ■■= 0 c, he ■■= 0 



^ b, hb := 0 0 






b, ht := 0 

J] _ 0 _ 0 


0_0_0 


Figure 3: An untimed component (left) and its extension with history clocks (right). 

We recall that untimed automata have elegant and compact encodings as regular 
expressions. This basic fact can be exploited in order to provide an alternative computation 
method for component invariants. More concretely, given an untimed component B = 
{L, A, T) we show how to automatically compute the invariant describing the relations 
between the history clocks of at some location I, from the language accepted by B at 
some designated location i. The first key observation is that only the last occurrence of 
each action should be retained. This implies that it is safe to abstract, with respect to 
last occurrences, the regular expression characterising the language accepted at the chosen 
control location. The second key observation is that, regular expressions in some restricted 
form, can be used to directly generate less constraints on the history clocks. Our regular 
expression based method can be therefore summarised as follows: 

(1) construct the regular expression Ei representing the language accepted by B at location 

A 

(2) abstract Ei with respect to the last occurence retention towards some restricted form 

e- where, every e\ contains each action at most once, and does not contain 
nested *-operators, 

(3) generate from every ej a characteristic formula on history clocks </>(e-) and obtain as 
invariant for B the assertion i Vi(^(ef). 

The first step is well known for finite automata and will not be detailed here. For the second 
abstraction step, the key ingredients are the simplification rules in Figure 

Rule 1 [Last Occurrence Retention]: E ■ a — )• {E \ a) ■ a 

Rule 2 [Back-unfolding]: E* — )• {E* ■ E) + e 


Figure 4: Simplification Rules 
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Rule 1 eliminates all but the last occurrence of the trailing a symbol from a regular 
expression of the form E ■ a. The denotes a syntactic elimination operator dehned 
structurally on expressions as follows. Let a and x be two symbols and E, Ei and E 2 be 
arbitrary regular expressions. 


e 


0 = 

X 


a = 

(^1 + E 2 ) 

\ 

a = 

{E 1 .E 2 ) 

\ 

a = 

E* 

\ 

a = 


e if X = a 
X if X / a 

{El \ o) + {E2 \ a) 
(El \ o ).(£’2 \ a) 
(E \ a)* 


Rule 2 simply unfolds *-expressions once. By using this rule and other basic manipulation 
of regular expressions, further simplification opportunities for Rule 1 are enabled. 

Example 4.2. Let us consider again the example presented in Figure The language 
accepted at h is defined as (a + bc*b)*bc*. This expression is progressively abstracted into 
the restricted form as follows: 

(a + bc*b)*bc* (a + c*)*bc* (by Rule 1) 

= (a + c*)*b{c*c + e) (by Rule 2) 

= (a + c*)*bc*c + (a + c*)*b (by splitting the last +) 

(a + e)*bc + (a + c*)*b (by Rule 1) 

= a*bc + (a + c)*b (by standard transformation) 


In the example above, we have applied the iterative strategy consisting of (1) choosing 
symbols from right to left and applying Rule 1 until no longer possible and then (2) applying 
Rule 2 to unfold the rightmost *-expression and split the incoming +. It can be shown that 
such a strategy always terminates with expressions in the restricted form. Intuitively, what 
happens is that Rule 2 splits larger expressions into smaller ones and, further, for each of 
these Rule 1 eliminates repetitions of symbols. 

For the third step, we construct from a regular expression in restricted form an 
equivalent formula (j){^'^) 011 history clocks. This formula represents exactly the set of orders 
on actions (the strings) encoded by the regular expression: 


4>{e^) = V {ho> hai > ■■■ >ha„^ /\ hc> ho) 

distinct ai,...,an 


where L{e‘^) is the language of eK We note that since we only consider words with distinct 
symbols, they are hnitely many and the disjunction is finite as well. 

As an illustratio n, let e^ be the regular expression in the restricted form a*bc+ {a + c)*b 
obtained in Example 4.2 The finite words on which (j){^^) builds upon are abc and be (from 
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a*bc) and acb, cab, cb, ab, b from (a + c)*b. By applying the above encoding, we obtain: 

{ho > ha > hf, > he) V {ha > ho > hh> he) V (corr. to abc, resp. be) 

{ho > ha > he > hb) V {ho > he > ha > hb) V (corr. to acb, resp. cab) 

{ha > ho > he > hb) V {he > ho > ha > hb) V (corr. to cb, resp. ab) 

{ho > hb A he, ha > ho) (corr. to b) 

Such encodings are, in fact, invariants. Intuitively, the inequalities in (j){^^) reflect precisely 
the order in which the last action occurences have taken place. 

Proposition 4.3. Let B be an untimed eomponent, Ei the regular expression charaeterising 
the language accepted by B at location I, and Ef be the result of applying the simplification 
rules. We have that yfil A (f){Ef)) is an invariant of B^. 

Proof, (sketch) The local component invariant at some location I is precisely characterised 
by the orders of the last occurrences of actions on traces reaching 1. To show that these 
orders are captured by 4>{Ej), it suffices to note that, on the one hand, Ei and Ej preserve 
the language of the last occurrences of actions. This follows from the simplification rules. 
As for regular expressions in restricted form we can prove the following property. For 
every word w in L{e^), the restricted sub-word wioc obtained from w by removing all but 
last occurrences of every symbol belongs to L{e^) as well. Henceforth, one can enumerate 
over all last occurrence words wioc by simply considering all accepted words of L{e^) having 
distinct symbols. To conclude the proof we only need to note that the inequalities in (f){Ej) 
encode the enumeration of all possible words corresponding to traces of B^ ending at /. D 

We can exploit the structure of regular expressions in restricted form to optimise the 
technique described above even further. To illustrate this, we consider the regular expression 
(6i -|- ... -|- bm)*ai...an in restricted form (whenever ai, ...,an, bi, ...,bm are distinct). The 
corresponding formula on history clocks is 

ho P hai P ... P ha„ A hbi P hai A ... A hb^ P ha^ A he P ho. 

The first part encodes the ordering constraints on the mandatory string ai...a„. All these 
actions occur (consequently, their history clocks are smaller than ho) in this precise order. 
The second part considers constraints on occurences of bj actions, which are optional: if some 
occur, their executions are unconstrained by each other, however, they take place before ai. 
Finally, the last part deals with actions c which do not appear in the regular expression. 
For all of them, their history clocks should be strictly greater than ho. We remark that, for 
this particular example, the obtained formula has linear size with respect to the size of the 
regular expression. In contrast, the number of strings encoded (i.e., whenever restricted to 
last occurrences of symbols) is exponential, with respect to the number of b actions. The 
construction above can be generalised for arbitrary restricted regular expressions without 
much difficulty. The resulting formula remains of polynomial size (at worse quadratic) with 
respect to the size of the restricted regular expression provided as input. 

Example 4.4. Following the approach described above, the regular expression in the 
restricted form a*bc + {a + c)*b translates into: 

{ho > hb > he A ha > hb) V {ho > hb A ha > hb A he > hb) 
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We note this expression is significantly smaller, yet logically equivalent to the disjunction 
of 7 distinct terms corresponding to symbolic zones reached at li as initially presented in 


Example 4.1 


To sum up, we described a heuristic which can be applied to untimed components to 
automatically compute an invariant with a reasonable enough size to be handled by existing 
SMT solvers. Given an untimed component i?, our heuristic makes use of the regular 
expressions characterizing the language accepted by B to avoid a direct construction of the 
zone graph of which would result in considerably large invariants. 


4.3. Exploiting Symmetry. At a closer examination of the definition of separation con¬ 
straints in Section |3.2[ it can be noticed that it characterises all possible orderings of 
conflicting interactions with respect to permutations. The size of the corresponding search 
space is exponential in the number of conflicting interactions and this, in turn, may be a 
bottleneck for the solver. Such situations can and must be avoided especially in the case of 
symmetric systems. What we show next is how the inherent symmetry in the formula can 
be eliminated such that the search space becomes considerably smaller. 

The use of symmetry has long been addressed, mostly with the intention of making model¬ 
checking more feasible and especially in the context of parameterised systems [221123 SUES]. 
There the goal is to show the existence of a small cutoff bound which allows the reduction 
of the verification problem from an arbitrary number of instances to a small, fixed one. Our 
context is different, that is, breaking the symmetry in some of the generated invariants, for 
an a priori known number of components. 

The types of systems we consider next are formed of a fixed number, be it n, of 
isomorphic components interacting with a controller, thus the interactions are binary. 
Isomorphic components are obtained from a generic component B by attaching an index i 
(from 1 to n) to all symbols in B. The resulting component is denoted by Bi. For any i,j, 
Bi and Bj are isomorphicj^ For the ease of reference, we denote systems like C\\^Bi by the 
letter M and we use Exec to denote the set of their global executions. 

In this framework, the notion of symmetry is intrinsically related to permutations. Let 
n„ denote the group of permutations of n. The application of permutations is defined on 
the structure of systems and properties. For a system M as C\\l^Bi, and a permutation vr, 
7r(M) is defined as C'||”^^^7r(5j) where 7r(5j) is dehned as 5 ,^( 4 ) and 71 ( 7 ) as {7r(a) | a G 7} 
with 7r(ac | a*) = Oc | a^[i) for a an arbitrary binary interaction between an action Oc 
of C and an action a* oi a Bi. For an execution a = ai,... ai,... ak, 7r(cr) is defined as 
7r(ai), 77 ( 02 ) • ■ ■ ..., 7r(afc). For a global state s = (sc, si,..., Sn), 7r(s) is defined as 

(sc, S 7 r(i)j • ■ •, As for system properties ip, we restrict to those built (with the usual 

logical connectors) from clock constraints and locations, and define: 


7r(p) 


K{i) 

^7r(¥7i) op 77 ( 992 ) 


li if = Xi rop Xj and rop G {<,<,=,>,>} 

a p = k 

if 99 = -1991 

a if = (pi op 992 and op G {A, V} 


where li,Xi denote a location, respectively, a clock in B^. 


®We note that, by construction, isomorphic components cannot have clock constraints involving indices: 
any constraint in a worker Bi is obtained from those in B which are oblivious to indices i. 
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The symmetric systems we consider are symmetric in a “strong” sense, i.e., they are 
fully symmetric. A system M is fully symmetric if for any vr G 7 r(M) is syntactically 
identical to M. Similarly, a property yp is fully symmetric if for any permutation tt, is 
equivalent to y). A property like li AI 2 /\ ■■■ /\ln is symmetric. On the contrary, G = xi < X 2 
is not as for the permutation 7r(l) = 2,7r(2) = 1, vr(G) = x^(i) < Xjr( 2 ) = X 2 < xi which is 
not equivalent to G. 

Symmetric systems have the convenient property that, whenever started in a symmetric 
state, for any of its executions a G Exec, 7 r((T) is itself an execution, that is, 'k{(t) G Exec. 
To see why this is indeed the case, let 7 be the interaction set and a = {ad Ui) an interaction 
in 7 . It suffices to note that if a is possible after a, then it is also the case for 7 r(a) after 
7 r(cr). Note also that, thanks to symmetry, 7 r(Q;) is in 7 . 

The idea behind simplifying the separation constraints S is to break the symmetry by 
replacing the constraints on absolute values | /iq, . — ha^ \ ■ More precisely, given a conflicting 
(controller) action Oc, in an execution where interaction a, = Oc | a, executes before 
Oj = ac I aj for j > i, we can naturally replace | ha^ — haj \ by hc^ — hay As for an execution 
which violates this natural ordering (or “canonicity”), we show that we can make use of 
symmetry to rearrange it. First, we formalise what we mean more precisely by canonicity. 
Given an execution a and an interaction ai = ac\ at we denote by lpos{a, at) the last position 
of ai in a. An execution a is canonical with respect to ac if lpos{a, at) < lpos{a, aj) for any 
i < j. Let Exec^ be the set of canonical executions. Thanks to symmetry, any execution 
has a corresponding canonical execution. Assume a is such that there is a conflicting Oc and 
for i > j the last occurrence of at = Uc \ ai appears latter than that of aj = ac \ aj. Let tt 
be such that 7r(i) = j and 7r(j) = i. Then Tr{a) is itself an execution and is canonical. 

For a canonical execution with ac being the action of interest S simplifies to: 

•S (7) — ^cii ^ f\ I I— 

i<j by^ac 

ac&on^^o^j bg^.n/3j 

We note that S'^ reduces S by n!. This is the best we can get in general. However, under 
particular conditions, S can be further reduced. For instance, if the controller is such that it 
considers components one by one and moreover, requires the use of some designated action 
ttc, then S further reduces to: 

l\ l\ ha^ — haj > /Cttc 
aeAct(C) i<j 

aGaiDoj 

This is because by considering components one by one, all conflicting interactions involving 
the controller follow the same order as defined for the designated action ac. We anticipate 
and note that such a scenario is the “temperature controller” case study from Section 

Finally, we show that for symmetric systems and properties it is correct to consider S'^ 
instead of S. 


Proposition 4.5. Let M be a symmetric system, (p he a symmetric property and $ the 
global invariant as defined in Section 3.2. We have that if\- <h[5 ■<— 5'^] —)• p then M |= G\p. 


Proof, (sketch) It suffices to show that h <h[5 •(— 5^^] —)• 99 iff h $ —)• (/j. 

“<^=”: trivial. : It boils down to show that if p is an invariant of Exec^ then it is also an 

invariant of the remaining executions a in Exec \ Exec^. If a does not have a conflicting 
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action, we are done, as 5'^ is an invariant by default. Else, we make use of the fact that a 
has a canonical representation and that (p is symmetric. D 

An immediate application of the above reduction results in the simplification we make 
use of in the temperature controller example from Section Naturally, the results can 
be extended also to systems with less symmetry by adapting the standard constructions 
of automorphisms from, for example, |23j . More precisely, for a system M for which 
Aut{M) = {vr I 7r{M) = M} is a proper subgroup of n„, we need to restrict to canonical 
executions which are consistent with the permutations in Aut{M). However, though such 
a generalisation is possible, it is not clear if it is also useful: as it is well pointed out in 
the literature about symmetries, determining Aut{M) is, in itself, a hard problem. This, 
together with the goal of keeping the presentation as clear as possible, were the reasons why 
we strictly considered only fully symmetric systems. 


5. Implementation and Experiments 

The method has been implemented in the RTD-Finder tool designed to check safety properties 
for real-time component-based systems modelled in the RT-BIP language [1]. The tool and 
the examples are available at http://www-verimag.imag.fr/RTD-Finder, 

In RT-BIP, components are modelled as timed automata and synchronise by means of 
n-ary multi-party interactions. The tool takes as input a real-time BIP model and a file 
containing the safety property. It subsequently generates a Yices m output file where the 
invariants are expressed together with the property. RTD-Finder proceeds by the following 
steps. It extends the components with history clocks and computes their local invariants. The 
computation of those invariants requires the implementation of several operations on zones. 
For this purpose, we developed a DBM (Difference Bound Matrices) library. RTD-Finder 
subsequently computes the history clocks constraints and the interaction invariant. It writes 
all these invariants to a file and calls Yices to check the satisfiabilty of GI A -iT. If GI A -iT 
is unsatisfiable, the property is valid. Otherwise, Yices generates a counter-example. We 
note that, at present, the tool cannot conclude if it is a valid counter-example, however, a 
guided backward analysis module is currently under development. The benchmarks we used 
in our experiments with RTD-Finder are described in what follows. 


5.1. Train gate controller (TGC). This is a classical example from [H]. The system is 
composed of a controller, a gate and a number of trains. For simplicity. Figure [^depicts only 
one train interacting with the controller and the gate. The controller lowers and raises the 
gate when a train enters, respectively exits. We propose to check that when all the trains are 
at far location, the gate cannot be going down (52 location). The results are presented in 
Table. When there are more than one train, be it n, the interactions approachi \ approach 
(respectively exiti \ exit), for 1 > i > n are in conflict on approach (respectively exit) of the 
controller. In this case, in addition to the separation constraints, we made use of the first 

More precisely, the invariant generated by the heuristic is 


heuristic presented in Section 4.1 
as follows: 

{^{happroachi 


Y hg A happroachj if hg) ^ h'faise ^ hg) 
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Figure 5: A controller interacting with a train and a gate 

5.2. Fischer protocol. This is a well-studied protocol for mutual exclusion |29) . The 
protocol specifies how processes can share a resource one at a time by means of a shared 
variable to which each process assigns its own identifier number. After 0 time units, the 
process with the id stored in the variable enters the critical state and uses the resource. We 
use an auxiliary component Id Variable to mimic the role of the shared variable. The 
system with two concurrent processes is represented in Figure The property of interest is 
mutual exclusion: (cs* A csj) i = j. 

The component Id Variable has combinatorial behavior and a large number of actions 
(2n + 1), thus the generated invariant is huge except for very small values of n. To overcome 
this issue, we made use of the second heuristic presented in Section 4.2 To simplify, we write 
Si instead of seti and e* instead of We construct the regular expression corresponding 
to location li and project it for actions ei, ej, Si, sj, respectively ei, eo, Si, sq. The latter 
projection leads to the following regular expression in restricted form: 

r^i = (cq + SQ)*ei.Si + (eo + so)*Si.ei + (cq + ei)*soSi (ej + so)*eoSi + Si 
This regular expression translates into the following constraint on history clocks: 


(^eo 
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he 

A 

hso 
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(^eo 

> 

hs 

A 

hso 

> 

hs 

A 

he- 

< 

hs- 

A 

hsi 

< 

ho) V 

(^eo 

> 

hso 

A 

hsi 

> 

hso 

A 

hso 

> 

hs. 

: A 

hso 

< 

ho) V 

{hsQ 

> 

heo 

A 

hsi 

> 

heo 

A 

heo 

> 

hs, 

: A 

heo 

< 

ho) V 


< 

ho A hso, 

h h 

'^eo ? 
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We deduce that at{li) —)> (j){Ri) is an invariant of the Id Variable, for any i. These invariants 
in addition to component invariants of processes and inequality constraints £ ( 7 ) are sufficient 
to show that mutual exclusion holds. 



Processi Id Variable Process2 


Figure 6 : The Fischer protocol 
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5.3. Gear controller system. Our third example is taken from m- There it is described 
a model of gear controller components in embedded systems operating inside vehicles. A 
gear controller system is composed of five components: an interface, a controller, a clutch, 
an engine and a gear-box. The interface sends signals to the controller to change the gear. 
In turn, the controller interacts with the engine, the clutch and the gear-box. The engine 
is either regulating the torque or synchronising the speed. The gear-box sets the gear 
between some fixed bounds. The clutch works as the gear-box and it is used whenever the 
engine is not able to function correctly (under difficult driving conditions, for instance). 
One requirement that such a system should satisfy in order to be correct is predictability. 
This requirement ensures a strict order between components. For instance, it ensures that 
when the engine is regulating the torque, the clutch is closed and the gear-box sets the gear. 
Another property of interest that we checked is that the controller is in an error location 
only when one of the other four components is in an error location also. 


5.4. Temperature controller (TC). This example is an adaptation from |12] . It repre¬ 
sents a simplified model of a nuclear plant. The system consists of a controller interacting 
with an arbitrary number n of rods (two, in Figure]^ in order to maintain the temperature 
between the bounds 450 and 900: when the temperature in the reactor reaches 900 (resp. 
450), a rod must be used to cool (resp. heat) the reactor. The rods are enabled to cool only 
after 900n units of time. The global property of interest is the absence of deadlock, that is, 
the system can run continuously and keep the temperature between the bounds. When the 
controller should take the cool action, at least one of the rods is ready to synchronise with 
it. For one rod, S{'y) is enough to show the property. For more rods, because interactions 
are conflicting, we need the separation constraints which basically bring as new information 
conjunctions as /\i{hrest.^(i) ~ > 1350) for vr an ordering on rods. Recalling the 


discussion from Section 4.3 such a reduction is correct because the system enjoys the 


particularly helpful property of being symmetric. 



Rodo Controller Rodi 


Figure 7: A Controller interacting with two rods 

5.5. Dual chamber implantable pacemaker. As a last benchmark, we consider the 
verification of a dual chamber implantable pacemaker presented in |28j . A pacemaker is a 
device for the management of the cardiac rhythm. It paces both the atrium and the ventricle 
of the heart, and based on sensing both chambers it can activate or inhibit further pacing. 
The model of pacemakers we experimented with has five components, for (1) keeping the 
heart rate above a minimum value, (2) maintaining delays between atrial and ventricular 
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activation, (3) preventing pacing the ventricle too fast, filtering noise after (4) ventricular 
and (5) atrial events. In our experiments, we considered the upper rate limit {URI) property 
stating that the ventricles of the heart should not be paced beyond a maximum rate, equal 
to a constant called TURI. The property states the existence of a minimum time elapse 
between a ventricular sense ( VS) event and the following ventricular pace ( VP) event. As in 
[28], we verihed the property by translating it into a monitor component which is shown in 
Figure]^ The actions VS and VP of the monitor are synchronised with those of the other 
components. We verified that when the monitor reaches the location interval, its clock t is 
greater than TURI. The corresponding property is interval —)• t > TURI. 



Figure 8: Monitor for the upper rate limit property: the interval between a VS venticular 
event and a VP venticular event should be longer than TURI 

Our method offers an additional way to check this property without resorting to the 
monitor. We expressed it by means of the introduced history clocks. The difference between 
the history clocks relative to those two events is longer than the required time elapse: 

{hyp < hvs U hvs ^ ho) —)> hvs ~ hyp > TURI 


5.6. Results. We ran our experiments on a Linux machine with Intel Core 3.20 GHz x4 
and 15.6 GiB memory. The results, synthesised in Tableshow the potential of our method 
in terms of accuracy and scalability. In Table n is the number of components, q is the 
total number of control locations, c (resp. h) is the number of system clocks (resp. history 
clocks), i is the number of interactions, while t shows the total verification time and tyices is 
the timed taken by Yices for satisfiability checking of GI A -■'k. 

To the best of our knowledge, there are no tools to compositionally verify safety properties 
of timed systems. Consequently, there are no relevant tools to compare RTD-Finder with. 
Netherveless, we did a small comparison with Uppaal (Hj. Uppaal is a well-known model¬ 
checking tool which is highly optimised. For instance, thanks to some reduction techniques, 
it has better scores on the first example (the TGC system) in particular and on smaller 
systems in general. Nonetheless, generally, state space exploration is costly. This can be 
illustrated by means of the temperature controller example: for 10 rods, Uppaal generated 
no results after five hours and 436519 explored states. On the other hand, RTD-Finder 
checked the property for 300 rods in few minutes, as shown in Table The timings for 
the RTD-Finder tool are obtained by the java command getCpuTime called to compute 
the total verification time, while the results for Uppaal come from the command verifyta 
which comes with the Uppaal 4.1.14 distribution. 
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Model 

n 

q 

c 

i 

h 

t 

tyices 

Train gate controller (50 trains) 

52 

158 

52 

102 

106 

0.5s 

0.3s 

Train gate controller (100 trains) 

102 

308 

102 

202 

206 

5.3s 

0.6s 

Train gate controller (200 trains) 

202 

608 

202 

402 

406 

lm33s 

5s 

Train gate controller (300 trains) 

302 

908 

302 

602 

606 

9m8s 

20s 

Train gate controller (500 trains) 

502 

1508 

502 

1002 

1006 

Ihl3m20s 

2m52s 

Temperature controller (20 rods) 

21 

42 

21 

40 

42 

0.07s 

0.01s 

Temperature controller (50 rods) 

51 

102 

51 

100 

102 

0.35s 

0.04s 

Temperature controller (100 rods) 

101 

204 

102 

200 

204 

3.7s 

0.08s 

Temperature controller (300 rods) 

301 

602 

302 

600 

602 

5m47s 

0.9s 

Fischer protocol (100 processes) 

101 

400 

101 

300 

501 

2.7s 

0.06s 

Fischer protocol (200 processes) 

201 

800 

201 

600 

1001 

0m47s 

0.22s 

Fischer protocol (300 processes) 

301 

1200 

301 

900 

1501 

4m27s 

0.5s 

Gear controller 

5 

65 

4 

17 

32 

15.1s 

0.14s 

Pacemaker (with monitor) 

7 

19 

11 

6 

21 

15.23s 

0.044s 

Pacemaker (without monitor) 

6 

16 

9 

6 

19 

15s 

0.032s 


Table 1: Results from experiments 
Related Work 

Automatic generation of invariants for concurrent systems is a long-time studied topic. Yet, 
to our knowledge, specific extensions or applications for timed systems are rather limited. 
As an exception, the papers mm propose a monolithic, non-compositional method for 
finding invariants in the case of systems represented as a single timed automaton. 

Compositional verification for timed systems has been mainly considered in the context 
of timed interface theories [2] and contract-based assume guarantee reasoning [iHi[inis]- 
These methods usually rely upon choosing a “good” decomposition structure and require 
individual abstractions for components to be deterministic timed I/O automata. Finding 
the abstractions is in general difficult, however, their construction can be automated by 
using learning techniques |30] in some cases. In contrast to the above, we are proposing a 
fully automated method generating, in a compositional manner, an invariant approximating 
the reachable states of a timed system. 

Abstractions serve also for compositional minimisation, for instance m minimises by 
constructing timed automata quotients with respect to simulation; these quotients are in 
turn composed for model-checking. Our approach is orthogonal in that we do not compose 
at all. Compositional deductive verification as in m is also orthogonal on our work in 
that, by choosing a particular class of local invariants to work with, we need not focus on 
elaborate proof systems but reason at a level closer to intuition. 

The use of additional clocks has been considered, for instance, in PES]. There, extra 
reference clocks are added to components to faithfully implement a partial order reduction 
strategy for symbolic state space exploration. Time is allowed to progress desynchronised 
for individual components and re-synchronised only when needed, i.e., for direct interaction 
within components. Clearly, the history clocks in our work behave in a similar way, however, 
our use of clocks is as a helper construction in the generation of invariants and we totally 
avoid global state space exploration. Finally, another successful application of extra clocks 
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has been provided in [33] for timing analysis of asynchronous circuits. There, specific history 
clocks are reset on input signals and used to provide a new time basis for the construction 
of an abstract model of output signals of the circuit. 

6. Conclusions 

We presented a fully automated compositional method to generate global invariants for timed 
systems described as parallel compositions of timed automata components using multi-party 
interactions. The soundness of the method proposed has been proven. In addition, it has 
been successfully tested on several benchmarks. This method has been implemented in 
the RTD-Finder tool. The results show that it may outperform the existing exhaustive 
exploration-based techniques for large systems, thanks to the use of compositionality and 
over-approximations. Nonetheless, the generated invariant is an over-approximation of the 
reachable states set and false-positives may raise. To remedy this, we are working on a 
guided backward analysis module to decide upon their validity. 

In order to achieve a better integration, we are working on handling richer classes of systems, 
including systems with data variables and urgencies |7] on transitions. Actually, urgencies 
provide an alternative way to constrain time progress, which is more intuitive to use by 
programmers but very difficult to handle in a compositional way. A second direction 
of research which is potentially interesting for systems containing identical, replicated 
components and closely related to the symmetry-based reduction is the application of our 
method to the verification of parameterised timed systems. Finally, we are considering 
specific extensions to particular classes of timed systems and properties, in particular, for 
schedulability analysis of systems with mixed-critical tasks. 
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Dellabani for his help with two benchmarks. 
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